Compliance Updates:

Know more about evaluation of

System of Quality Management
and inspection methodology

24 November 2023

1
Disclaimer

 The opinions expressed by external guest speakers are, by their nature, those
of the speakers. They are not necessarily endorsed by the Institute nor do
they necessarily reflect the official policies and views of the Institute, its
staff or members.
 The Institute takes no responsibility for any loss associated with any person
acting or refraining from acting as a result of participation in the event.
 The Institute does not endorse or recommend any products or services that
may be mentioned in the event and is not responsible for any loss or damage
arising from the use of such products or services. Participants are reminded
that there may be a wide range of related products or services available in
the market and that they should carry out their own research and obtain
independent advice before subscribing to any products or services.

2
Disclaimer (cont’d)

 The materials of this event are intended to provide general information only.
Examples and other materials used in this event are sourced from publicly
available information and only for illustrative purposes and should not be
relied upon for technical answers or as advice. The Institute, the speaker(s)
and the firm(s) that the speaker(s) is representing take no responsibility for
any errors or omissions in, or for the loss incurred by individuals or
companies due to the use of, the materials of this event.
 No claims, action or legal proceedings in connection with this event brought
by any individuals or companies having reference to the materials on this
event will be entertained by the Institute, the speaker(s) and the firm(s) that
the speaker(s) is representing.
 The All rights reserved. No part of this publication may be reproduced,
stored in a retrieval system or transmitted, in any form of by any means,
electronic, mechanical, photocopying, recording or otherwise without the
prior written permission of the Institute.

3
About the Speaker

 Ms. Elsa Ho (FCA, CPA, LLB, CAMS, BA)

Ms. Elsa Ho is the Senior Director of Wisdom Pro Services Limited that
offers technical and advisory services on compliance with professional
standards, in particular monitoring and consultation services for practice
units. She was the former Director of Quality Assurance of the Hong Kong
Institute of Certified Public Accountants (“HKICPA”) in charge of the practice
review and professional standards monitoring programmes and the former
Deputy Head of Inspection of the Accounting and Financial Reporting Council
(“AFRC”) responsible for inspections. Elsa was previously the head of the
technical department of an international practice in Hong Kong looking after
technical, monitoring and training of the practice and worked in the standard
setting department of the HKICPA with a work focus on financial reporting
standard setting. She has all round experience in setting, implementing,
monitoring and regulating compliance with professional standards.

4
Past event polling questions and results

Two polling
questions raised
at an event held
on
20 October 2023

5
Polling question 1 on 20 October 2023 – 79% had
not completed the annual QMS evaluation and
52% was still exploring how to do it

6
Polling question 2 on 20 October 2023 – 85% feel
concerned about an inspection and 52% was due
to “not knowing what to expect”

7
Agenda

 Evaluation of system of quality management (QMS)

 Published inspection methodology

8
Agenda - Evaluation of system of
quality management (QMS)
I. HKICPA Alert 45 – Monitoring Activities and QMS
Evaluation
II. Pitfalls in the Development of Quality
Management Manual
III. Common Quality Control Deficiencies
(extracted from AFRC’s 2022
Annual Inspection Report)

9
I. HKICPA Alert 45 – Monitoring Activities and
QMS Evaluation

10
I. HKICPA Alert 45
A. MONITORING AND REMEDIATION PROCESS
 STEP 1 – Designing and Performing Monitoring Activities
 Ongoing and periodic monitoring activities
 Inspection of Completed Engagements (at least one completed engagement for each
engagement partner on a cyclical basis of three years)
 Other Types of Monitoring Activities

11
I. HKICPA Alert 45
A. MONITORING AND REMEDIATION PROCESS
 STEP 2 - Evaluating findings and identifying deficiencies (specifically defined),
and evaluating identified deficiencies

Note:

12
I. HKICPA Alert 45
A. MONITORING AND REMEDIATION PROCESS
 STEP 3: Responding to identified deficiencies

13
I. HKICPA Alert 45
A. MONITORING AND REMEDIATION PROCESS
 STEP 4: Ongoing communication related to monitoring and remediation

14
I. HKICPA Alert 45
B. EVALUATION OF THE FIRM’S QMS/SOQM

Seek help if
Source: https://www.hkicpa.org.hk/-/media/HKICPA- needed before too
Website/New-HKICPA/Standards-and-regulation/SSD/03_Our-
views/Financial-Reporting-Auditing-and-Ethics-Alert/alert45f.pdf
late !!! 15
II. Pitfalls in the Development of Quality
Management Manual

16
II. Pitfalls in the Development of QMM
 Don’t know how to start, in particular the risk assessment, and
underestimate the time required to design, implement and maintain the
QMM
 Not enough tailoring of the QMM to suit own circumstances and reflect
actual practice given:
 The concerns over inadvertent breaches
 The inability to distinguish between “nice to have” and “required to
have” provisions
 Not realising that “non-compliance with own policies and procedures” is
equally as bad and will be taken as findings
 For the risk assessment:
 Not realising that it is perfectly OK to have quality objectives no more
than those already set out in the Standard to start with

17
II. Pitfalls in the Development of QMM (cont’d)
 Not enough efforts to distinguish quality risks being only those that
have a reasonable possibility of (i) occurring and (ii) individually, or in
combination with other risks, adversely affecting the achievement of
one or more quality objectives
 Not tailoring enough the suggested responses other than the specific
quality responses, in particular, the same policies and procedures are
repeatedly stated as the corresponding policies and procedures to
many responses, raising questions about whether the responses could
have been better tailored or not
 No timely implementation of quality responses and policies and
procedures set out in the QMM and not realising that efforts are needed
to up-keep the responses to avoid non-compliance
 No keeping evidence to show information and communication about the
QMS are provided to relevant personnel and external parties on a timely
basis and to demonstrate compliance

18
III. Common quality control deficiencies — Extracted
from the AFRC 2022 Annual Inspection Report
Expect to have monitoring over
accuracy and completeness of
confirmed information

Audit clients should include related

entities over which clients have
direct or indirect control

Beware (a) of prohibited services

and (b) to establish a clear
Chinese wall if such is determined
as an appropriate safeguard

Where risk factors (prior

unresolved audit matters, late
appointment and already a
large portfolio of clients) exist,
Source: https://www.frc.org.hk/en-hk/Documents/Publications/periodic- 19 the thought process to support
reports/2022_AFRC%20Inspection%20Report_eng.pdf the acceptance/ continuance
decision is important
III. Common quality control deficiencies — Extracted
from the AFRC 2022 Annual Inspection Report
Need to understand the
training needs of each staff
level and provide appropriate
training accordingly

This is an automatic finding

for an engagement assessed
as unsatisfactory

It is common to select a
monitored engagement to
inspect to assess the
effectiveness
of monitoring

Source: https://www.frc.org.hk/en-hk/Documents/Publications/periodic- 20
reports/2022_AFRC%20Inspection%20Report_eng.pdf
Agenda

 Evaluation of system of quality management (QMS)

 Published inspection methodology

21
Published Inspection Methodology

 Before the regulatory reform as the HKICPA is a IFAC member, its practice
review programme was benchmarked to the IFAC’s SMO 1 for Quality
Assurance (with detailed procedural guideline). Statements were also
published in members’ handbook to set out detailed procedures in the
conduct of a practice review.
 After the regulatory reform, policy statements which primarily set out the
legal framework for inspections of PIE auditors with respect to PIE
engagements and inspection of practice units with respect to engagements
other than PIE engagements and AML Guidelines compliance have been
published.
 Other information about the inspection programme can however be found in
the inspection FAQ and published inspection reports.

22
Published Inspection Methodology — Extracted
from the AFRC 2022 Annual Inspection Report

23
Published Inspection Methodology — General

 Practice selection:
 Category A, B and C firms complete more than 100, between 10 and 100
and at least 1 but less than 10 listed entity audits annually, respectively.
Category A firms are reviewed annually and Category B and C firms are
reviewed at least once in a three year inspection cycle.
 Category D firms are firms which have more than 20 engagements having
more public interest elements and/or more than 500 non-PIE engagements.
They are selected for inspection at least once every three years. Other
practice units not in Categories A to D are categorised as Category E firms
and they are selected for inspection in lesser frequency than Category D
firms using sampling approaches with risk based outlays (with random
elements).
 FAQ 5 (Practice Units) — Normally, a notification letter will be issued at
least six weeks before the scheduled inspection
Source: https://www.afrc.org.hk/en-hk/Documents/Publications/periodic-
reports/2022_AFRC%20Inspection%20Report_eng.pdf, https://www.afrc.org.hk/en-hk/frequently-asked-
questions/?tab=practice-units and https://www.afrc.org.hk/en-hk/frequently-asked-questions/?tab=pie-auditors 24
Published Inspection Methodology — General
(cont’d)
 Inspection coverage — System of Quality Management, engagements and AML
Guidelines compliance. Non-PIE inspection — use common methodology and
apply the principle of proportionality.
 FAQ 9 (Practice Units): The selected practice unit is required to provide
the required information (https://www.afrc.org.hk/en-
hk/Documents/inspection/Full_list_of_info_required.pdf) in relation to its
quality management system, AML Guidelines compliance and audit and
assurance engagements 21 days after the inspection notification
 Engagement selection and Focus areas — Risk based with some key factors
identified (details later)
 FAQ 3 (PIE auditors): selected PIE engagements — required to provide all
audit documentation within one week of notification

Source: https://www.afrc.org.hk/en-hk/Documents/Publications/periodic-
reports/2022_AFRC%20Inspection%20Report_eng.pdf, https://www.afrc.org.hk/en-hk/frequently-asked-
questions/?tab=practice-units and https://www.afrc.org.hk/en-hk/frequently-asked-questions/?tab=pie-auditors 25
Published Inspection Methodology — General
(cont’d)
 Inspection rating:
 System of Quality Control/ Management and Non-PIE engagements are
not rated.
 PIE engagements classified into:
 “Good (Category 1)”,
 “Limited improvements required (Category 2)”,
 “Improvements required (Category 3)” and
 “Significant improvements required (Category 4)”,
but only the rating categories of inspected PIE engagements of
Category A firms are published individually (apart from Big four, over
90% of inspected engagements of practice units received rating 3 or 4).
Source: https://www.afrc.org.hk/en-hk/Documents/Publications/periodic-
reports/2022_AFRC%20Inspection%20Report_eng.pdf 26
Published Inspection Methodology — General
(cont’d)
 Inspection outcome (defined in AFRCO):
 Close
 Require taking a measure or corrective action
 Conducting a further inspection
 Initiating an investigation
 Imposing a sanction
 For a PIE engagement, taking any other action considered
appropriate (e.g. share the relevant information with the SFC)

Source: https://www.afrc.org.hk/en-hk/Documents/Publications/periodic-
reports/2022_AFRC%20Inspection%20Report_eng.pdf 27
Published Inspection Methodology — General
(cont’d)
 Engagements rated 4 will be referred and engagements rated as 3 will be
considered for referring to the AFRC’s Investigation and Compliance Department
which might ultimately result in a disciplinary sanction
 FAQ 17 (PIE auditors): Where there is sufficient evidence of misconduct on the
part of a PIE auditor, for instance, where a breach of ethics is clearly identified,
the inspection report may be referred to the Department of Discipline of the AFRC
for consideration of sanctions
 An effective root cause analysis (RCA) is required to be carried out to understand
the underlying causes of audit deficiencies and to establish appropriate corrective
actions to prevent them from reoccurring. A remediation plan is required to be
submitted to address plans to remediate the findings identified
 A requirement letter will be issued to set out specific actions required to be taken
if the remediation plan submitted is not considered satisfactory. The relevant
practice unit will then be required to provide a monitoring report every 3 months
with supporting documents demonstrating the implementation progress of the
required actions until they are fully implemented

Source: https://www.afrc.org.hk/en-hk/Documents/Publications/periodic-
reports/2022_AFRC%20Inspection%20Report_eng.pdf, https://www.afrc.org.hk/en-hk/frequently-asked-
questions/?tab=practice-units and https://www.afrc.org.hk/en-hk/frequently-asked-questions/?tab=pie-auditors
28
Focus for 2023 and beyond

 2023 and beyond inspection focus will be on areas where significant / recurring
deficiencies were identified in previous inspections and how practice units address
audit risks arising from changes in economic and market conditions and new and
revised standards, including the following for 2023:
 risk assessment process of the new QMS,
 AML Guidelines compliance; and
 enhanced procedures for identifying and assessing risk of material
misstatement required by HKSA 315 (revised 2019) effective for periods
beginning on or after 15 December 2021 (new templates issued in APM)
 More work on evaluation of design and implementation of defined controls,
including controls to address a significant risk and controls over journal entries
 More work to understand use of IT, IT risks and IT general controls
 Separation of assessment of inherent risk and control risk

Source: https://www.afrc.org.hk/en-hk/Documents/Publications/periodic-
reports/2022_AFRC%20Inspection%20Report_eng.pdf 29
Focus for 2023 and beyond (cont’d)

 Auditors should future consider emerging risks e.g. cyber security risks and
climate related risk
 Proactive actions will be taken to address situations where
 there are an increasing number of late changes of PIE auditors due to
unresolved audit matters
 practice units act as the principal auditors but significant parts of audit are
performed by other auditors located in other jurisdictions
 practice units with significant quality deficiencies with no substantial improvement
in audit quality ratings

Source: https://www.afrc.org.hk/en-hk/Documents/Publications/periodic-
reports/2022_AFRC%20Inspection%20Report_eng.pdf 30
Engagement selection

Source: https://www.afrc.org.hk/en-hk/Documents/Publications/periodic-
reports/2022_AFRC%20Inspection%20Report_eng.pdf 31
Pro Tips: Engagements (based on
own view)
 Revenue and management override of control are the two presumed fraud
risk areas and therefore will usually be covered
 Key audit matters and matters disclosed as requiring significant judgement
and estimation are also areas that will commonly be considered as focus areas
 Where applicable, audit report modifications will be carefully reviewed to
assess the appropriateness of the modifications and actions to address
implications on (prior) continuance
 Given the changes introduced by HKSA 315, work on use of IT is expected to
be seen in 2023 audits for 2022 year end financial statements

32
Pro Tips: Changes from old regime
— Some key points to note
 No more concept of identical practice units — Beware of how the relevant
ethical requirements are to be applied:
 On a standard alone firm basis (e.g. assessment of 15% threshold of audit
fee from a listed entity client over the total fee for determination of
whether safeguards are required)
 On a network basis
 No tolerance of self monitoring of engagements — as Para. 39(b) of HKSQM 1
requires practices to:
Address the objectivity of the individuals performing the monitoring
activities. Such policies or procedures shall prohibit the engagement
team members or the engagement quality reviewer of an engagement
from performing any inspection of that engagement.

33
Contacts

Elsa Ho For more information, please

Senior Director visit: www.wisdompro.com.hk
elsaho@wisdompro.com.hk

General enquiry
Phone & WhatsApp: (+852) 6655 0753
info@wisdompro.com.hk
You can sign up to our website if you
would like to receive technical updates,
latest news and offers from us.

34
Thank you

35